While the benefits of IM are clear and compelling, the risks associated with sharing sensitive information in an IM environment are often overlooked. We need a mechanism that permits communities of users to protect their IM conversations. This document presents an extension protocol that can be incorporated into the existing XMPP protocol to provide such a mechanism.

In addition to its ability to protect instant message data, the proposed protocol may also serve as a foundation for securing other data transported via XMPP extensions.

Term

Definition

User

A user is simply any XMPP user. Users are uniquely identified by a JID; they connect to XMPP hosts using a XMPP node. Users produce and consume information, and we wish to provide them with mechanisms that can be used to protect this information.

Community

A community is a collection of users who wish to communicate via XMPP. No restrictions or assumptions are made about the size of communities or the geographical, organizational, or national attributes of the members. Communities are assumed to be dynamic and ad-hoc. Users typically join communities by the simple act of invitation. All members of a community are assumed to be peers. The members of communities share information among themselves, and we wish to provide them with mechanisms that can permit information to only be shared by community members.

Conversation

A conversation is the set of messages that flows among the members of a community via some network. Conversations consist of both the actual conversation data produced and consumed by the various users as well as the XMPP protocol elements that transport it. Members participate in a conversation when they are the source or destination of this traffic.

Initiator

The initiator is the user who requested a security session negotiation. Initiator's are identified by their JID.

Responder

The responder is the user who responded to a security session negotiation request. Responder's are identified by their JID.

Concatentation operator

The '|' character is used in character or octet string expressions to indicate concatenation.

PFS

Perfect Forward Secrecy. In cryptography, is said of a key-establishment protocol in which the compromise of a session key or long-term private key after a given session does not cause the compromise of any earlier session.

GRP

The definition of a Diffie-Hellman group length

DHx

The Diffie-Hellman ephemeral public keys for the initiator (x=i) and the responder (x=r)

KEY

The Diffie-Hellman ephemeral session secret that is agreed to during a key exchange negotiation.

CKYx

A 64 bits pseudo-random number or cookie generated by the initiator (x=i) and responder (x=r) in the authenticated key exchange.

KEYID

The concatenation of CKI-I and CKI-r and the domain of interpretation. It is the name of the keying material.

sKEYID

This is the keying material named by KEYID. It is never transmitted but is used in the various calculations made by the exchanging parties.

EHAo

A list of encryption/hash/authentication algorithms choices.

EHAs

The selected reference encryption/hash/authentication choice.

Nx

The nonces selected by the initiator (x=i) and the responder (x=r)

JIDx

The identities of the initiator (x=i) and the responder (x=r)

E{value}Kx

The encryption of value with the public key of the initiator (x=i) and the responder (x=r). Encryption is done using the algorithm associated with the authentication method. Usually this will be RSA

D{value}Kx

The decryption of value with the public key of the initiator (x=i) and the responder (x=r). Decryption is done using the algorithm associated with the authentication method. Usually this will be RSA

S{value}Kx

The signature of value with the private key of the initiator (x=i) and the responder (x=r). Signing is done using the algorithm associated with the authentication method. Usually this will be RSA or DSS

prf(a, b)

The result of applying pseudo-random function "a" to data "b". One may think of "a" as a key or as a value that characterizes the function prf; in the latter case it is the index into a family of functions. Each function in the family provides a "hash" or one-way mixing of the input.

prf(0, b)

The application of a one-way function to data "b". The similarity with the previous notation is deliberate and indicates that a single algorithm, e.g. MD5, might will used for both purposes. In the first case a "keyed" MD5 transform would be used with key "a"; in the second case the transform would have the fixed key value zero, resulting in a one-way function.

The proposed protocol is designed to address the specific requirements and considerations presented in this section.

A secure IM system must permit conversation participants to preserve the following properties of their conversation data:

Property

Description

confidentiality

Conversation data must only be disclosed to authorized recipients

integrity

Conversation data must not be altered

data origin authentication

Recipients must be able to determine the identity of the sender and trust that the message did, in fact, come from the sender. It is important to note that this requirement does not include the requirement of a durable digital signature on conversation data.

replay protection

Recipients must be able to detect and ignore duplicate conversation data.

These are established, traditional goals of information security applied to the conversation data. In the IM environment, these goals protect against the following attacks:

eavesdropping, snooping, etc.

masquerading as a conversation participant

forging messages

Preserving the availability of conversation data is not addressed by this protocol.

Finally, note that this protocol does not concern any authentication between an XMPP node and an XMPP host.

A secure IM system must support a data classification feature through the use of security labeling. Conversation participants must be able to associate a security label with each piece of conversation data. This label may be used to specify a data classification level for the conversation data.

It is easy to imagine XMPP systems in which the servers play active, fundamental roles in the protection of conversation data. Such systems could offer many advantages, like:

allowing the servers to function as credential issuing authorities,

allowing the servers to function as policy enforcement points.

Unfortunately, such systems have significant disadvantages when one considers the nature of instant messaging:

Many servers may be un-trusted, public servers.

In many conversation communities, decisions of trust and membership can only be adequately defined by the members themselves.

In many conversation communities, membership in the community changes in real time based upon the dynamics of the conversation.

In many conversation communities, the data classification of the conversation changes in real time based upon the dynamics of the conversation.

Furthermore, the use of gateways to external IM systems is a further complication.

Based on this analysis, we propose that security be entirely controlled in an end to end fashion by the conversation participants themselves via their user agent software.

Similarly, we believe that trust decisions are in the hands of the conversation participants. A security protocol and appropriate user agents must provide a mechanism for them to make informed decisions.

One of the accepted axioms of security is that people must avoid the temptation to start from scratch and produce new, untested algorithms and protocols. History has demonstrated that such approaches are likely to contain flaws and that considerable time and effort are required to identify and address all of these flaws. Any new security protocol should be based on existing, established algorithms and protocols.

Any new IM security protocol must integrate smoothly into the existing IM environment, and it must also recognize the nature of the transactions performed by conversation participants. These considerations are especially important:

dynamic communities. The members of a community are defined in near real time by the existing members.

dynamic conversations. Conversations may involve any possible subset of the entire set of community members.

Given the requirement to place the responsibility for the protection of conversation data in the hands of the participants, it is imperative to address some fundamental usability issues:

Overall ease of use is a requirement. For protocol purposes, one implication is that some form of authentication via passphrases is necessary. While we recognize that this can have appalling consequences, especially when we realize that a passphrase may be shared by all of the community members, we also recognize its utility.

PKIs are well established in many large organizations, and some communities will prefer to rely on credentials issued from these authorities. We must allow the use of existing PKI credentials and trust models rather than impose closed, XMPP-specific credentials.

Performance must not be negatively impacted. This is particularly true if we consider that most communities are composed of human users conversing in real time. For protocol purposes, one obvious implication is the desire to minimize computationally expensive public key operations.

To successfully integrate into the existing XMPP environment, an extension protocol for security must satisfy the following:

It must be an optional extension of the existing XMPP protocol.

It must be transparent to existing XMPP servers.

It must function gracefully in cases where some community members are not running a user agent that supports the protocol.

It must make good use of XML.

It must avoid encumbered algorithms.

It must be straightforward to implement using widely available cryptographic toolkits.

It must not require a PKI.

Since cryptographic operations are applied to data that is transported within an XML stream, the protocol defines a set of rules to ensure a consistent interpretation by all conversation participants.

Binary data, such as the result of an HMAC, is always transported in an encoded form; the only supported encoding scheme is base64.

Senders MAY include arbitrary white space within the character stream. Senders SHOULD NOT include any other characters outside of the encoding set.

Receivers MUST ignore all characters not in the encoding set.

Encrypted data is always transported in an encoded form; the only supported encoding scheme is base64.

Senders MAY include arbitrary white space within the character stream. Senders SHOULD NOT include any other characters outside of the encoding set.

Receivers MUST ignore all characters not in the encoding set.

HMACs are computed over a specific collection of attribute values and character data; when computing an HMAC the following rules apply:

All characters MUST be HMACed in their pure Unicode form encoded in UTF-16.

The octets in each character MUST be processed in network byte order.

For a given element, the attribute values that are HMACed MUST be processed in the specified order regardless of the order in which they appear in the element tag.

For each attribute value, the computation MUST only include characters from the anticipated set defined in this specification; in particular, white space MUST always be ignored.

For character data that is represented in a base64 encoded form, the computation MUST only include valid characters from the encoding set.

The following algorithm is used to encrypt a character string:

The character string MUST be represented in Unicode encoded in UTF-16.

The octets in each character MUST be processed in network byte order.

Appropriate cryptographic algorithm parameters, such as an IV for a block cipher, are generated.

The octet string derived from the character string is padded with up to 256 octets of arbitrary padding data. There MUST be at least one padding octet. The last octet of the padding MUST indicate the number of preceeding octets in the stream. All padding octets except the last octet SHOULD be randomly generated. When block ciphers are used, the padding MUST result in a stream of octets that is a multiple of the cipher's block size.

When used to extend existing XMPP construct, the container element is an <x/> element. Each <x/> element could have one <SecurityAssociation/> to refer to a particular security session, one <KeyAgreement/> element which would contain the information for an an exchange of keys. The <x/> element could have its content authenticated by one <Signature/> element which contains the information about signature of information exchanged between two nodes. The <x/> element may contains one <KeyTransport/> element which contains the information about keys to be securely exchanged between two nodes.

When used in an IQ XMPP construct, the container element is a <query/> element. Each <query/> element could have one <SecurityAssociation/> to refer to a particular security session, one <KeyAgreement/> element which would contain the information for an an exchange of keys. The <query/> element could have its content authenticated by one <Signature/> element which contains the information about signature of information exchanged between two nodes. The <query/> element may contains one <KeyTransport/> element which contains the information about keys to be securely exchanged between two nodes.

Each <SecurityAssociation/> element may have <DigestMethod/>, <EncryptionMethod/> and <SignatureMethod/> elements to specify the actual algorithms set that will be used in a key exchange.

Each <KeyAgreement/> element may have a <DHKeyValue/> and a < DHParamters/> elements to specify the actual data and parameters used in the key exchange. It may also contain a <KA-Nonce/> element to specify a nonce to be used in a key exchange.

Attribute

Meaning

id

The id attribute hold the agreement or security association ID, when present.

length

The length attribute hold the require number of bits in the prime number used to generate the DH key pair.

Element

Meaning

SecurityAssociation

The <SecurityAssociation/> tag is used to encapsulate EncryptionMethod, DigestMethod, SignatureMethod data. It is used as a container for the different algorithm definition that are negotiated for the session.

AgreementMethod

The <AgreementMethod/> tag is an optional element that identifies the key agreement algorithm to be applied to an object.

DigestMethod

The <DigestMethod/> tag is an optional element that identifies the digest algorithm to be applied to an object.

DigestValue

The <DigestValue/> tag is an optional element that contains the encoded value of a digest.

EncryptionMethod

The <EncryptionMethod/> tag is an optional element that describes the encryption algorithm applied to the cipher data. If the element is absent, the encryption algorithm must be known by the recipient or the decryption will fail.

Signature

The <Signature/> tag is used to encapsulate signature data. It is used as a container of other XML structures that could come from any namespace.

SignatureMethod

The <SignatureMethod/> tag is an optional element that specifies the algorithm used for signature generation and validation.

SignatureValue

The <SignatureValue/> tag is an optional element that contains the encoded value of a signature.

SignedInfo

The <SignedInfo/> tag includes the canonicalization algorithm, a signature algorithm, and one or more references. The SignedInfo element may contain an optional ID attribute that will allow it to be referenced by other signatures and objects. It is in the http://www.w3.org/2000/09/xmldsig# namespace.

KA-Nonce

The <KA-Nonce/> tag is an optional element under <KeyAgreement/> to assure that different keying material is generated even for repeated agreements using the same sender and recipient public keys.

KeyAgreement

The <KeyAgreement/> tag is used to encapsulate key agreement data. It is used as a container of other XML structures that could come from external namespace.

KeyInfo

The <KeyInfo/> tag is used to encapsulate key information data. It enables the recipient to obtain the key needed to validate a signature. <KeyInfo/> may contain keys, names, certificates and other public key management information, such as in-band key distribution or key agreement data. It is used as a container of other XML structures that could come from external namespace.

OriginatorKeyInfo

The <OriginatorKeyInfo/> tag is used to encapsulate originator key information data in a key agreement. It is of type <KeyInfo/> and used as a container of other XML structures that could come from external namespace.

RecipientKeyInfo

The <RecipientKeyInfo/> tag is used to encapsulate recipient key information data in a key agreement. It is It is of type <KeyInfo/> and used as a container of other XML structures that could come from external namespace.

KeyName

The <KeyName/> tag is an optional element of <KeyInfo/> and contains a string value (in which white space is significant) which may be used to communicate a key identifiert to the recipient.

KeyValue

The <KeyValue/> tag contains a single public key that may be useful in validating a signature. The KeyValue element may include externally defined public keys values represented as PCDATA or element types from an external namespace

KeyTransport

The <KeyTransport/> tag is used to encapsulate transported key data. It is used as a container of other XML structures that could come from any namespace.

CarriedKeyName

The <CarriedKeyName/> tag is optional and used to specified the name of the transported key.

DHKeyValue

The <DHKeyValue/> tag is used to encapsulate a Diffie-Hellman key agreement content. It is designed to follow the XML digital signature standard.

DHParameters

The <DHParameters/> tag is used to to encapsulate a Diffie-Hellman key exchange parameters.

Public

The <Public/> tag is holding the actual content of a Diffie-Hellman public key.

X509Data

The <X509Data/> tag is an optional element holding one or more identifiers of keys or X509 certificates, or certificates' identifiers or a revocation list. It is in the http://www.w3.org/2000/09/xmldsig# namespace.

PGPData

The <PGPData/> tag is an optional element used to convey information related to PGP public key pairs and signatures on such keys. It is in the http://www.w3.org/2000/09/xmldsig# namespace.

DSAKeyValue

The <DSAKeyValue/> tag is optional and defines a DSA public key inside a <KeyInfo/> element. It is in the http://www.w3.org/2000/09/xmldsig# namespace.

RSAKeyValue

The <RSAKeyValue/> tag is optional and defines a RSA public key inside a <KeyInfo/> element. It is in the http://www.w3.org/2000/09/xmldsig# namespace.

Element

Attribute

Value

Meaning

KeyAgreement

id

CDATA

The agreement ID

length

null

CDATA

The length of the prime number to be used by default is 768 bits. The length of the prime number to be usedas defined in the IKE Diffie-Hellman groups.

SecurityAssocitation

id

CDATA

The security association ID or cookie for a party in the negotiation.

AgreementMethod

Algorithm

CDATA

The algorythm URI for the key agreement.

DigestMethod

Algorithm

CDATA

The algorythm URI for the digest.

EncryptionMethod

Algorithm

CDATA

The algorythm URI for the encryption.

SignatureMethod

Algorithm

CDATA

The algorythm URI for the signature.

The base key agreement (BKE) is an implementation of the "Diffie-Hellman Method For Key Agreement" (DH). It allows two nodes to create and share a secret key.

DH is not an encryption mechanism as we normally think of them, in that we do not typically use it to encrypt data. Instead, it is a method to securely exchange the keys that encrypt data. DH accomplishes this secure exchange by creating a "shared secret", sometimes called a "key encryption key", between two nodes. The shared secret then encrypts the symmetric key, or "data encryption key" - DES, Triple DES, CAST, IDEA, Blowfish, etc, for secure transmission.

Two nodes intending to agree on a secret key shall employ the first phase of the agreement independently to produce the public values outputs PV and PV'. The nodes shall exchange the outputs.

The nodes shall then employ the second phase independently with the other nodes's public value as input. The mathematics of Diffie-Hellman key agreement ensure that the resulting outputs SK of the second phase are the same for both entities.

1) First the nodes must get the "Diffie-Hellman parameters". A prime number, 'p' (larger than 2) and "base", 'g', an integer that is smaller than 'p'. They can either be hard coded or fetched from a server.

Diffie-Hellman groups are used to determine the length of the base prime numbers used during the key exchange. The strength of any key derived depends in part on the strength of the Diffie-Hellman group the prime numbers are based on:

Group 2 (medium) is stronger than Group 1 (low). Group 1 will provide 768 bits of keying material, while Group 2 will provide 1,024 bits. If mismatched groups specified on each peer, negotiation will fail. The group cannot be switched during the negotiation.

A larger group results in more entropy and therefore a key which is harder to break.

2) The nodes each secretly generate a private number called 'x', which is less than "p - 1".

3) The nodes next generate the ephemeral public keys, 'y'. They are created with the function:

y = g^x mod p

4) The two nodes now exchange the public keys ('y') and the exchanged numbers are converted into a secret key, 'z'.

z = y^x mod p

'z' can now be used as the key for whatever encryption method is used to transfer information between the two nodes. Mathematically, the two nodes should have generated the same value for 'z'.

z = (g^x mod p)^x' mod p = (g^x' mod p)^x mod p

All of these numbers are positve integers

x^y means: x is raised to the y power

xmody means: x is divided by y and the remainder is returned

Suppose two nodes want to agree on a shared secret key to exchange information securely, they will exchange their public keys in order to encrypt that information. To this goal, the transport XMPP packet SHOULD include an extension of the form:

]]>

In this extension, the only negotiable parameter is the key length that is passed in the length attribute of the <KeyAgreement/> tag. The length attribute is used to retrieve the DH parameter group and the associated prime and generator values. We are using DH groups derived from the Internet Key Exchange protocol (IKE) which is used by IPSec. A summary of these groups and the associated parameters are described later in this document.

An example of using this agreement is to send encrypted password on the wire when registering a new user. Registration is the only time a password needs to be exchanged between an XMPP server and a client. Once that has been carried out, then every authentication can be done through digest.

The client uses an empty <x/> element in the request to signal that it supports the XMPP security extension.

The flow between client and server will look like:

]]>

The server will reply to the request by sending out its own ephemeral public key inside the <x/> extension.

encoded server public key
]]>

The client then generate its own public key, calcultate the shared secret according to the DH method and uses it to encrypt the password accordingly. It includes its own ephemeral public key into the reply to the server inside the <x/> extension.

usernameencrypted passwordencoded client public key
]]>

The server now calculates the shared secret according to the DH method and uses its private key to decrypt the password.

]]>

The Diffie-Hellman key agreement algorithm [10] provides a mechanism to allow key establishment in a scalable and secure way. It allows two parties to agree on a shared value without requiring encryption. An Authenticated Key Agreement (AKE) is a secure protocol ensuring that in addition to securely sharing a secret, the two parties can be certain of each other’s identities, even when an active attacker exists.

This AKE uses a hybrid protocol derived from the Internet Key Exchange (IKE) [1] and the OAKLEY key determination protocol [2]. The purpose is to negotiate and provide authenticated key material for security association (SA) in a protected manner. The basic mechanism is the Diffie-Hellman Key Exchange. It provides the following addition to base key agreement:

it uses weak address validation mechanism (cookies) to avoid denial of service attacks.

it provides negotiation of mutually agreeable supporting algorithm for the protocol, such as the encryption method, the key derivation method and the authentication method.

the authentication does not depend on encryption using the DH exponentials, but instead validates the binding of the exponential to the identities of the parties.

it does not require the computation of the shared exponential before the authentication.

it provides additional security to the derivation of encryption keys, as it is made to depend not only of the DH algorithm but also on the cryptographic method used to securely authenticate the parties to each other.

This key agreement protocol is used to establish a shared key with an assigned identifier and associated identities for two parties. The resulting common keying information state comprise a key name, secret keying material, the identification of the two parties, and three algorithms for use during authentication:

encryption for privacy,

hashing for protecting the integrity of message and for authentication of message fields

authentication to mutually authenticate the parties

The anti clogging tokens, or cookies, provide a weak form of source address identification for both parties. The cookies exchange can be completed before they perform the expensive computations later in the protocol. The cookies are used also for key naming.

The construction of the cookies is implementation dependent. It is recommended to make them the result of a one-way function applied to a secret value (changed periodically), and the local and remote addresses. In this way, the cookies remain stateless and expire periodically. Note that this would cause the KEYID's derived from the secret value to also expire, necessitating the removal of any state information associated with it.

The encryption functions must be cryptographic transforms which guarantee privacy and integrity for the message data. They include any that satisfy this criteria and are defined for use with RFC2406 [3].

The one-way hash functions must be cryptographic transform which can be used as either keyed hash (pseudo-random) or non keyed transforms. They include any that are defined for use with RFC2406 [3].

Where nonces are indicated they will be variable precision integers with an entropy value that match the strength attribute of the DH group used in the exchange.

The main exchange has three optional features:

stateless cookie exchange,

perfect forward secrecy for the keying material,

use of signatures (for non-repudiation).

The two parties can use any combination of these features. The general outline of processing is that the Initiator of the exchange begins by specifying as much information as he wishes in his first message. The Responder replies, supplying as much information as he wishes. The two sides exchange messages, supplying more information each time, until their requirements are satisfied.

The choice of how much information to include in each message depends on which options are desirable. For example, if stateless cookies are not a requirement, and perfect forward secrecy for the keying material are not requirements, and if non- repudiatable signatures are acceptable, then the exchange can be completed in three messages. Additional features may increase the number of roundtrips needed for the keying material determination.

The three components of the key determination are:

Cookies exchange

DH half key exchange

Authentication

The initiator can supply as little information as a bare exchange request, carrying no additional information. On the other hand the initiator can begin by supplying all the necessary information for the responder to authenticate the request and complete the key determination quickly, if the responder choose to accept this method. If not the responder can reply with a minimum amount of information.

The following example indicates how two parties can complete a key exchange in three messages. The identities are not secret, the derived keying material is protected by PFS.

By using digital signatures, the two parties will have a proof of communication that can be recorded and presented later to a third party.

The keying material implied by the group exponentials is not needed for completing the exchange. If it is desirable to defer the computation, the implementation can save the "x" and "g^y" values and mark the keying material as "uncomputed". It can be computed from this information later.

The Aggressive Mode example is written to suggest that public key technology is used for the signatures. However, a pseudorandom function can be used, if the parties have previously agreed to such a scheme and have a shared key.

If the first proposal in the EHAo list is an "existing key" method, then the KEYID named in that proposal will supply the keying material for the "signature" which is computed using the "H" algorithm associated with the KEYID.

In this exchage the two parties are minimally aggressive; they use the cookie exchange to delay creation of state, and they use perfect forward secrecy to protect the identities.

They use public key encryption for authentication; digital signatures or pre-shared keys can also be used. The Main mode does not change the use of nonces, prf's, etc., but it does change how much information is transmitted in each message.

The responder considers the ability of the initiator to repeat CKYr as weak evidence that the message originates from a "live" correspondent on the network and the correspondent is associated with the initiator's network address.

The initiator makes similar assumptions when CKYi is repeated to the initiator. All messages must have valid cookies or at least one zero cookie. If both cookies are zero, this indicates a request for a cookie; if only the initiator cookie is zero, it is a response to a cookie request.

Information in messages violating the cookie rules cannot be used for any operations. Note that the Initiator and Responder must agree on one set of EHA algorithms; there is not one set for the Responder and one for the Initiator. The Initiator must include at least MD5 and DES in the initial offer.

The keying material computed by the key exchange should have at least 90 bits of entropy, which means that it must be at least 90 bits in length. This may be more or less than is required for keying the encryption and/or pseudorandom function transforms.

The transforms used should have auxiliary algorithms which take a variable precision integer and turn it into keying material of the appropriate length. The result of either Main Mode or Aggressive Mode is three groups of authenticated keying material:

Context

Keying Material

Digest

sKEYID_d = prf(sKEYID, KEY | CKYi | CKYi | 0)

Authentication

sKEYID_a = prf(sKEYID, SKEYID_d | KEY | CKYi | CKYr | 1)

Encryption

sKEYID_e = prf(sKEYID, SKEYID_a | KEY | CKYi | CKYr | 2)

and agreed upon policy to protect further communications. The values of 0, 1, and 2 above are represented by a single octet. The key used for encryption is derived from sKEYID_e in an algorithm-specific manner.

Encryption keys used to protect the SA are derived from sKEYID_e in an algorithm-specific manner. When SKEYID_e is not long enough to supply all the necessary keying material an algorithm requires, the key is derived from feeding the results of a pseudo-random function into itself, concatenating the results, and taking the highest necessary bits.

For example, if the (ficticious) algorithm MYALGO requires 320-bits of key, and the prf used to generate sKEYID_e only generates 120 bits of material, the key for MYALGO, would be the first 320-bits of Ka, where:

Ka = K1 | K2 | K3 | ...

And

K1 = prf(sKEYID_e, 0)

K2 = prf(sKEYID_e, K1)

K3 = prf(sKEYID_e, K2)

...

prf is the HMAC version of the negotiated hash function and 0 is represented by a single octet. Each result of the prf provides 120 bits of material for a total of 360 bits. MYALGO would use the first 320 bits of that 360 bit string.

The intitiator uses a <SecurityAssociation/> element in the request to list all the EHA algorithms that it supports. In addition it provides its own DH ephemeral public key.

The values of initiator and responder MUST be the JIDs of the two participants, respectively.

The initiator cookie is prepared by generating a string of 32 random octets (64 random bits). The cookie resulting octets are then encoded into a string of hex characters. The generated value is used as the originator key name for the security association.

The available set of confidentiality and HMAC cryptographic algorithms is selected. The manner in which these algorithms are selected and all related policy issues are outside the scope of this specification.

The available set of authentication algorithms is selected. The manner in which these algorithms are selected and all related policy issues are outside the scope of this specification. When the digital signature form of authentication is selected, the relevant end-entity certificate and, optionally, a chain of CA certificates representing a validation path, is assembled and encoded. A set of trusted CA certificates MAY optionally be included via caCertificate elements; if so, the set MUST include the issuer of the initiator's end-entity certificate.

These values are then used to prepare the XML element; this element is transmitted via the existing XMPP iq mechanism:

A32F...245A
]]>

The responder will reply to the request by sending out its own selcted EHA algorithms that will be used in the remainign transaction.

The values of initiator and responder MUST be the JIDs of the two participants, respectively.

The responder cookie is prepared by generating a string of 32 random octets (64 random bits). The cookie resulting octets are then encoded into a string of hex characters. The generated value is used as the recipient key name for the security association..

The algorithms attributes are checked against the values supported by the user agent. If the receiver is not able to select one set out of the proposed algorithms, an error code 406-Unacceptable is returned.

The desired confidentiality and HMAC cryptographic algorithms are selected from the proposed set. The manner in which these algorithms are selected and all related policy issues are outside the scope of this specification.

The desired authentication algorithm is selected from the proposed set. The manner in which this algorithm is selected and all related policy issues are outside the scope of this specification. In the digital signature case, the responder's end-entity certificate MUST be issued by one of the trusted CAs listed in the session1 PDU or by the same issuer as the initiator's end-entity certificate. If the responder does not have acceptable credentials, an error code of 401-Unuthorized occurs.

A32F...245A324A...BF24
]]>

The intitiator provides its own DH ephemeral public key.

The values of initiator and responder MUST be the JIDs of the two participants, respectively.

The initator and responder cookies are used as the originator key name and the recipient key name for the security association..

A Diffie-Hellman group is selected. The appropriate values for g and p will be used to generate the initiator's public key.

An ephemeral private key, x, is generated using g and p for the selected group. This key MUST be generated using an appropriate random number source. The corresponding public key, g^x, is generated and encoded.

A32F...245A324A...BF24
... encoded initiator public key
]]>

The responder check the validity of the parameters and eventualy replies with its own DH ephemeral public key.

The values of initiator and responder MUST be the JIDs of the two participants, respectively.

The initator and responder cookies are checked; a mismatch results in an error code of 406 - Unacceptable .

The Diffie-Hellman group is checked against the values supported by the user agent. An unsupported group results in an error code of 406 - Unacceptable

An ephemeral private key, y, is generated using g and p for the group indicated by the PDU. This key MUST be generated using an appropriate random number source. The corresponding public key, g^y, is generated and encoded.

A32F...245A324A...BF24
... encoded initiator public key
]]>

The intitiator provides its nonce encrypted with the agreed algorithm and the public key of the responder.

The values of initiator and responder MUST be the JIDs of the two participants, respectively.

The initator and responder cookies are checked; a mismatch results in the procedure being aborted.

The initiator nonce is prepared by first generating a string of 20 random octets (160 random bits). The nonce is then encrypted using the selected encryption algorithm and the shared secret key. The resulting octets are then encoded into a string of base64 characters.

A32F...245A324A...BF24
... encoded encrypted initiator nonce
]]>

The responder replies with the concatenation of its own nonce and the initiator nonce encrypted with the agreed algorithm and the public key of the initiator. The packet is authenticated using the agreed signature algorithm.

The values of initiator and responder MUST be the JIDs of the two participants, respectively.

The initator and responder cookies are checked; a mismatch results in an error code of 401 - Unauthorized.

The initiator nonce is decrypted using the responder private key.

The responder nonce is prepared by first generating a string of 20 random octets (160 random bits). It is then apended to the initiator nonce and the result encrypted using the selected encryption algorithm and the shared secret key. The resulting octets are then encoded into a string of base64 characters.

Based on the selected authentication algorithm, the responder's authenticator is constructed. A digital signature requires calculating:

The initiator authenticate the keying material using the agreed signature algorithm.

The values of initiator and responder MUST be the JIDs of the two participants, respectively.

The initator and responder cookies are checked; a mismatch results in the procedure being aborted.

The concatenation of the responder and initiator nonce is decrypted using the initiator private key. The original initiator nonce is compared to the result. An invalid nonce results in aborting the procedure. Otherwise the result is used to generate Kir

Based on the selected authentication algorithm, the responder's authenticator is constructed. A digital signature requires calculating:

The authenticator is verified. A failure results in an error code of 406 - Unacceptable.

]]>

The intitiator uses <SecurityAssociation/> element in the request to list all the EHA algorithms that it supports. In addition it provides its own DH ephemeral public key. The message is signed with its own private key.

The values of initiator and responder MUST be the JIDs of the two participants, respectively.

The initiator cookie is prepared by generating a string of 32 random octets (64 random bits). The cookie resulting octets are then encoded into a string of hex characters. The generated value will be used as identifier for the initiator leg of the security association.

The available set of confidentiality and HMAC cryptographic algorithms is selected. The manner in which these algorithms are selected and all related policy issues are outside the scope of this specification.

The available set of authentication algorithms is selected. The manner in which these algorithms are selected and all related policy issues are outside the scope of this specification. When the digital signature form of authentication is selected, the relevant end-entity certificate and, optionally, a chain of CA certificates representing a validation path, is assembled and encoded. A set of trusted CA certificates MAY optionally be included via caCertificate elements; if so, the set MUST include the issuer of the initiator's end-entity certificate.

A Diffie-Hellman group is selected. The appropriate values for g and p will be used to generate the initiator's public key.

An ephemeral private key, x, is generated using g and p for the selected group. This key MUST be generated using an appropriate random number source. The corresponding public key, g^x, is generated and encoded.

The initiator nonce is prepared by first generating a string of 20 random octets (160 random bits). The resulting octets are then encoded into a string of base64 characters.

Based on the selected authentication algorithm, the initiator's authenticator is constructed. A digital signature requires calculating:

The authenticator is verified. A failure results in an error code of 401 - Unauthorized.

The responder cookie is prepared by generating a string of 32 random octets (64 random bits). The cookie resulting octets are then encoded into a string of hex characters. The generated value will be used as identifier for the responder leg of the security association.

An ephemeral private key, y, is generated using g and p for the group indicated by the PDU. This key MUST be generated using an appropriate random number source. The corresponding public key, g^y, is generated and encoded.

The responder nonce is prepared by first generating a string of 20 random octets (160 random bits). The resulting octets are then encoded into a string of base64 characters.

Based on the selected authentication algorithm, the responder's authenticator is constructed. A digital signature requires calculating:

The Key Transport assumes that a security association be negotiated for the purpose of securely transporting conversation keys. The sender's user agent employs the following algorithm to generate the keyTransport PDU:

The values of initiator and responder MUST be the JIDs of the two participants who negotiated the security association, respectively.

The security association identifier is assembled.

The payload, which consists of the confidentiality key sKEYID_e, digest key sKEYID_d and the integrity key sKEYID_a , is wrapped in instances of xenc:EncryptedKey as follows:

The Type attribute of the xenc:EncryptedKey element MUST indicate 'content'.

The Id, MimeType and Encoding attributes of the xenc:EncryptedKey element MUST NOT be present.

The xenc:EncryptionMethod element MUST be present, and the Algorithm attribute MUST indicate a valid symmetric key wrap algorithm. Furthermore, the algorithm MUST be the same as was negotiated for the security association.

The ds:KeyInfo element MUST NOT be present. The key to use is the shared secret KEY of the negotiated security association.

The xenc:ContainedKeyName element MUST be present.

The xenc:CipherData element MUST be present, and it MUST use the CipherValue choice.

The HMAC is computed using KEY of the negotiated security association. A digital signature requires calculating:

These values are then used to prepare the XML KeyTransport element; this element is transmitted via the existing XMPP iq mechanism. The order in which the keys are in the payload is significant. The first mandatory key is sKEYID_e. The second optional key is sKEYID_a. And the last optional key is sKEYID_d.

A32F...245A324A...BF24-enc</ContainedKeyName>

... encoded encrypted confidentiality key

A32F...245A324A...BF24-auth</ContainedKeyName>

... encoded encrypted confidentiality key

A32F...245A324A...BF24-dig</ContainedKeyName>

... encoded encrypted confidentiality key

... encoded signature value

]]>

The receiver's user agent employs the following algorithm to process each KeyTransport PDU:

The values of initiator, responder, and security association id MUST indicate an existing security association. An invalid security association results in an error of 401 - Unauthorized.

The payload, which consists of the confidentiality key sKEYID_e, digest key sKEYID_d and the intergrity key sKEYID_a, is unwrapped. Any failures result in an error code of 406-Unacceptable.

The body of the HMAC element is decoded into the actual HMAC octet string.

The HMAC is computed using KEY of the security association. A digital signature requires calculating:

The HMAC is validated. An invalid HMAC results in an error code of 406-Unacceptable.

The keys are added to the user agent's key store.

If any errors occur during processing, the error is communicated via the existing XMPP mechanism:

]]>

Public keys are transported embedded in the KeyTransport PDU.

X509 certificates can also be transported in existing XMPP message. The following example uses a presence subscription packet as the vehicle PDU. The subscribee public key and certificate are sent to the initiator of a presence subscription.

CN=TAMURA Kent, OU=TRL, O=IBM, L=Yamato-shi, ST=Kanagawa, C=JP
]]>

The values of initiator and responder MUST be the JIDs of the two participants in the exchange, respectively.

The payload, which consists of the public key of the responder is assembled.

The SIGN is computed using the private key of the responder. A digital signature requires calculating:

SIGN = S (JIRi | JIDR | Kr name | Kr) responder private key

These values are then used to prepare the XML KeyTransport element; this element is transmitted via an existing XMPP mechanism. In the following example, the responder public key is sent to the initiator of a presence subscription.

responder@domain key name

... encoded responder public key value

... encoded signature value

]]>

The ultimate goal is the protection of conversation data. The protocol exchanges described above allow the conversation participants to cryptographically protect their conversation data using the conversation keys that they share.

A protected message is defined as a traditional XMPP message whose body content is extended to include the transport of a cryptographically protected message body. The two key features are:

The HMAC is validated. An invalid HMAC results in an error code of 406-Unacceptable.

If any errors occur during processing, the error is communicated via the existing XMPP mechanism:

This section discusses algorithms used with the XMPP security specification. Entries contain the identifier to be used as the value of the Algorithm attribute of the EncryptionMethod element or other element representing the role of the algorithm, a reference to the formal specification, definitions for the representation of keys and the results of cryptographic operations where applicable, and general applicability comments.

The table below lists the categories of algorithms. Within each category, a brief name, the level of implementation requirement, and an identifying URI are given for each algorithm.

Category

Algorithm

URI

Block Encryption

TRIPLEDES

tripledes-cbc

AES-128

aes128-cbc

AES-192

aes192-cbc

AES-256

aes256-cbc

Key Transport

RSA-v1.5

rsa-1_5

RSA-OAEP

rsa-oaep-mgf1p

Symmetric Key Wrap

TRIPLEDES KeyWrap

kw-tripledes

AES-128 KeyWrap

kw-aes128

AES-256 KeyWrap

kw-aes256

AES-192 KeyWrap

kw-aes192

Message Digest

MD5

md5

SHA1

sha1

SHA256

sha256

SHA512

sha512

RIPEMD-160

ripemd160

HMAC-MD5

hmac-md5

HMAC-SHA1

hmac-sha1

HMAC-SHA128

hmac-sha128

HMAC-SHA256

hmac-sha256

Signature

DSAwithSHA1 (DSS)

dsa-sha1

RSAwithSHA1

rsa-sha1

An RSA Laboratories Technical Note
Version 1.4
Revised November 1, 1993upersedes June 3, 1991 version, which was also published as NIST/OSI Implementors' Workshop document SEC-SIG-91-19. PKCS documents are available by electronic mail to <pkcs@rsa.com>.

This standard describes a method for implementing Diffie-Hellman key agreement, whereby two parties, without any prior arrangements, can agree upon a secret key that is known only to them (and, in particular, is not known to an eavesdropper listening to the dialogue by which the parties agree on the key). This secret key can then be used, for example, to encrypt further communications between the parties.

The intended application of this standard is in protocols for establishing secure connections, such as those proposed for OSI's transport and network layers [ISO90a][ISO90b].

Details on the interpretation of the agreed-upon secret key are outside the scope of this standard, as are details on sources of the pseudorandom bits required by this standard.

The next four sections specify parameter generation, two phases of Diffie-Hellman key agreement, and an object identifier.

A central authority shall generate Diffie-Hellman parameters, and the two phases of key agreement shall be performed with these parameters. It is possible that more than one instance of parameters may be generated by a given central authority, and that there may be more than one central authority. Indeed, each entity may be its own central authority, with different entities having different parameters. The algorithm identifier for Diffie-Hellman key agreement specifies which Diffie-Hellman parameters are employed.

Two entities intending to agree on a secret key shall employ the first phase independently to produce outputs PV and PV', the public values. The entities shall exchange the outputs.

The entities shall then employ the second phase independently with the other entity's public value as input. The mathematics of Diffie-Hellman key agreement ensure that the outputs SK of the second phase are the same for both entities.

1. The cost of some methods for computing discrete logarithms depends on the the length of the prime, while the cost of others depends on the length of the private value. The intention of selecting a private-value length is to reduce the computation time for key agreement, while maintaining a given level of security. A similar optimization is suggested by Schnorr [Sch90].

2. Some additional conditions on the choice of prime, base, and private-value length may well be taken into account in order to deter discrete logarithm computation. These security conditions fall outside the scope of this standard.

This section describes the first phase of Diffie-Hellman key agreement.

The first phase consists of three steps: private-value generation, exponentiation, and integer-to-octet-string conversion. The input to the first phase shall be the Diffie-Hellman parameters. The output from the first phase shall be an octet string PV, the public value; and an integer x, the private value.

This phase is performed independently by the two parties intending to agree on a secret key.

The base g shall be raised to the private value x modulo p to give an integer y, the integer public value.

y = gx mod p, 0 < y < p .

This is the classic discrete-exponentiation computation.

The integer public value y shall be converted to an octet string PV of length k, the public value. The public value PV shall satisfy

y = , (1)

where PV1, ..., PVk are the octets of PV from first to last.

In other words, the first octet of PV has the most significance in the integer and the last octet of PV has the least significance.

This section describes the second phase of Diffie-Hellman key agreement.

The second phase consists of three steps: octet-string-to-integer conversion, exponentiation, and integer-to-octet-string conversion. The input to the second phase shall be the Diffie-Hellman parameters; an octet string PV', the other entity's public value; and the private value x. The output from the second phase shall be an octet string SK, the agreed-upon secret key.

This phase is performed independently by the two parties intending to agree on a secret key, after the parties have exchanged public values resulting from the first phase.

The other entity's public value PV' shall be converted to an integer y', the other entity's integer public value. Let PV'1, ..., PV'k be the octets of PV' from first to last. Then the other entity's integer public value y' shall satisfy

y' = .

In other words, the first octet of PV' has the most significance in the integer and the last octet of PV' has the least significance.

The other entity's integer public value y' shall be raised to the private integer x modulo p to give an integer z, the integer secret key.

z = (y')x mod p, 0 < z < p .

This is the classic discrete-exponentiation computation.

Note. The integer secret key z satisfies

z = (y')x = (gx')x = (gx)x' = yx' mod p ,

where x' is the other entity's private value. This mathematical relationship is the reason the two entities arrive at the same key.

The DHKeyValue object identifier is intended to be used in the algorithm field of a value of type AlgorithmIdentifier. The parameters field of that type, which has the algorithm-specific syntax ANY DEFINED BY algorithm, would have ASN.1 type DHParameter for this algorithm.

IKE implementations MUST support a MODP group with the following prime and generator. This group is assigned id 5 (five). The 1536 bit MODP group has been used for the implementations for quite a long time, but it has not been documented in the current RFCs or drafts.